The Office of the Superintendent of Financial Institutions (OSFI) has released updated requirements governing how federally regulated financial institutions should disclose and report technology and cyber security incidents to OSFI.

The updated Technology and Cyber Security Incident Reporting Advisory replaces the original advisory published in January 2019. The accompanying Cyber Security Self-Assessment is available online and replaces the initial self-assessment, first published in October 2013. 

Under the updated advisory, a federally regulated financial institution (FRFI) must report a technology or cyber security incident to the regulator’s Technology Risk Division as well as to their lead supervisor at OSFI within 24 hours or sooner if possible. A new ‘failure to report’ section of the advisory stipulates that any FRFI not reporting a cyber incident could be subject to increased supervisory oversight, placed on a watch list, or assigned one of the stages in OSFI’s supervisory intervention approach.

The self-assessment, meanwhile, an extensive and updated list, is designed to gauge and improve a FRFI’s current state of readiness in the face of emerging and expanding cyber threats and examines a company’s ability to respond to an incident.

“As members of a sector critical to the Canadian economy, FRFIs have a responsibility to address technology and cyber security incidents in a timely and effective manner. FRFIs are required to provide timely notification to OSFI when incidents related to their operations occur,” OSFI writes in the advisory. “This requirement should be reflected in FRFIs’ policies and procedures for dealing with technology and cyber security incidents.”